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Abstract — We consider secret key generation for a "pairwise 
independent network" model in wliich every pair of terminals 
observes correlated sources that are independent of sources 
observed by all other pairs of terminals. The terminals are then 
allowed to communicate publicly with all such communication 
being observed by all the terminals. The objective is to generate 
a secret key shared by a given subset of terminals at the largest 
rate possible, with the cooperation of any remaining terminals. 
Secrecy is required from an eavesdropper that has access to the 
public interterminal communication. A (single-letter) formula for 
secret key capacity brings out a natural connection between the 
problem of secret key generation and a combinatorial problem 
of maximal packing of Steiner trees in an associated multigraph. 
An explicit algorithm is proposed for secret key generation based 
on a maximal packing of Steiner trees in a multigraph; the 
corresponding maximum rate of Steiner tree packing is thus a 
lower bound for the secret key capacity. When only two of the 
terminals or when all the terminals seek to share a secret key, 
the mentioned algorithm achieves secret key capacity in which 
case the bound is tight. 

Index Terms - PIN model, private key, public communication, 
secret key capacity, security index, spanning tree packing, Steiner 
tree packing, wiretap secret key. 



I. Introduction 

Suppose that terminals 1,. . . ,m observe distinct but cor- 
related signals with the feature that every pair of terminals 
observes a corresponding pair of correlated signals that are 
independent of all other pairs of signals. Following these 
observations, all the terminals can communicate interactively 
over a public noiseless channel of unlimited capacity, with 
all such communication being observed by all the terminals. 
The goal is to generate a secret key (SK), i.e., secret com- 
mon randomness, for a given subset A of the terminals in 
A^ = {!,..., m] at the largest rate possible, with secrecy 
being required from an eavesdropper that observes the public 
interterminal communication. All the terminals in Ai cooper- 
ate in generating the SK for the secrecy-seeking set A. 

This model for SK generation, called a "pairwise inde- 
pendent network" model, was introduced in 1231 (see also 
1221 '). Abbreviated hereafter as the PIN model, it is motivated 
by practical aspects of a wireless communication network in 
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which terminals communicate on the same frequency. In a 
typical multipath environment, the wireless channel between 
each pair of terminals produces a random mapping between 
the transmitted and received signals which is time-varying and 
location-specific. For a fixed time and location, this mapping 
is reciprocal, i.e., effectively the same in both directions. 
Also, the mapping decorrelates over different time-coherence 
intervals as well as over distances of the order of a few 
wavelengths. 

The PIN model is, in fact, a special case of a general 
multiterminal "source model" for secrecy generation studied 
by Csiszar and Narayan IH. The latter followed leading 
investigations by Maurer lT3l . lT4l and Ahlswede and Csiszar 
HI of SK generation by two terminals from their correlated 
observations complemented by public communication. 

A single-letter characterization of secret key capacity - 
the largest rate at which secrecy can be generated - for the 
terminals in an arbitrary subset Aof M was provided in l4|. A 
particularization of this (general) SK capacity formula to our 
PIN model displays the special feature that it can be expressed 
in terms of a linear combination of mutual information terms 
that involve only mutually independent pairs of "reciprocal" 
random variables (rvs). Each such mutual information term 
represents the maximum rate of an SK that can be generated 
solely by a corresponding pair of terminals from only their 
own observed signals using public communication lT3l . lT4l . 
Oj. This observation leads to the following question that is our 
main motivation: Can an SK of optimum rate for the terminals 
in A be generated by propagating mutually independent and 
rate-optimal SKs for pairs of terminals in A^? 

An examination of this question brings out points of contact 
between SK generation for a PIN model and a combinatorial 
problem of tree packing in a multigraph. We propose an 
explicit algorithm for propagating pairwise SKs for pairs of 
terminals in M. to form a groupwide SK for the terminals in A. 
This algorithm is based on a maximal packing of Steiner trees 
(for A) in a multigraph associated with the PIN model. Thus, 
the maximum rate of Steiner tree packing in this multigraph 
is always a lower bound for SK capacity. This bound is 
shown to be tight when the secrecy-seeking set A contains 
only two terminals or when it consists of all the terminals. In 
these situations, our algorithm is capacity-achieving. It is of 
independent interest to note that given a combinatorial problem 
of determining the maximum rate of Steiner tree packing for A 
in a multigraph, the SK capacity of an associated PIN model 
provides, in reciprocity, an upper bound for the mentioned 
rate, which is tight for the case |^| = 2 as well as for the 
spanning tree case A = AA. 

In the study of secrecy generation for a multiterminal source 
model, the notions of wiretap SK |[l3l, El, ID, E| and 
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private key H also have been proposed. The former notion 
corresponds to the eavesdropper having additional access to a 
terminal not in the secrecy-seeking set A and from which too 
the key must be concealed; this "wiretapped" terminal does 
not cooperate in secrecy generation. A single-letter charac- 
terization of the corresponding capacity remains unresolved 
in general but for partial results and bounds (cf. e.g., HI, 
lfT4l . |fT9ll . 11, in, Uni, §\). The notion of a private key is 
less restrictive, with the wiretapped terminal being allowed to 
cooperate; the corresponding capacity is known 14). We argue 
in Section IV below that for a PIN model these two notions 
correspond to SK generation for a reduced PIN model, thereby 
justifying our sole focus on SK capacity. 

Basic concepts and definitions are presented in Section 
II. Section III contains statements of our results and proofs; 
specifically, the SK capacity for the PIN model is given in 
Section III. A, the connection of SK capacity with Steiner tree 
packing is treated in Section III.B, and with spanning tree 
packing in Section III.C. Concluding remarks and pointers to 
a sequel paper are contained in Section IV. 

II. Preliminaries 

We shall be concerned throughout with a PIN model, which 
is a special case of a general multiterminal "source model" for 
secrecy generation with public communication (see lT4l . HI, 
0, 13). Suppose that terminals l,...,m, m > 2, observe 
n independent and identically distributed (i.i.d.) repetitions 
of the rvs Xi , . . . , Xm , denoted by X" , . . . , X^ , where 
Xf = (X,4,...,l,-„j, I e M ^ {!,..., m}. Each 

rv Xi, i e M, is of the form Xi = {X^j, j S M\{i}) 
with m — 1 components, and the "reciprocal pairs" of rvs 
{{Xij,Xji) , 1 < i < j < m} are mutually independent. See 
Figure 1. Thus, every pair of terminals in Ai is associated 
with a corresponding pair of rvs that are independent of 
pairs of rvs associated with all the other pairs of termi- 
nals. All the rvs are assumed to take their values in finite 
sets. Following their observation of the random sequences 
as above, the terminals in AA are allowed to communicate 
among themselves over a public noiseless channel of unlimited 
capacity; all such communication, which may be interactive 
and conducted in multiple rounds, is observed by all the 
terminals. A communication from a terminal, in general, can 
be any function of its observed sequence as well as all previous 
public communication. The public communication of all the 
terminals will be denoted collectively by F = F'"^ 

The overall goal is to generate shared secret common 
randomness for a given set A C A^ of terminals at the largest 
rate possible, with the remaining terminals (if any) cooperating 
in secrecy generation. The resulting secret key must be shared 
by every terminal in A; but it need not be accessible to the 
terminals not in A and nor does it need to be concealed from 
them. It must, of course, be kept secret from the eavesdropper 
that has access to the public interterminal communication 
F, but is otherwise passive, i.e., unable to tamper with this 
communication. 
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Figure 1: The PIN Model 

The following basic concepts and definitions are from H, 
JSJ. Given e > 0, for rvs [/, V, we say that U is e- recoverable 
from V if Pr{U ^ f{V)} < e for some function f{V) of 
V. With the rvs K and F representing a secret key and the 
eavesdropper's knowledge, respectively, information theoretic 
secrecy entails that the security inde^u 

s{K;F)^log\IC\-H{K\F) 

be required to be small, where /C is the range of K and | . | 
denotes cardinality. This requirement simultaneously renders 
K to be nearly uniformly distributed and nearly independent 
of F. 

Definition 1: Given any set A C A^ of size |A[ > 2, a rv 
K constitutes an e-secret key (e-SK) for the set of terminals 
A, achievable with communication F, if K is e-recoverable 
from fX", FJ for each i £ A and, in addition, it satisfies the 
secrecy condition 

s{K;F)<e. (1) 

The condition ([T]) corresponds to the concept of "strong" 
secrecy in which e = e„ = o„(l) ITSJI . Q, 15), as distinct 
from the earlier "weak" secrecy concept which requires only 
that en = o{n) d, Q. 

Definition 2: A number R is an achievable SK rate for a 
set of terminals A C_ M. if there exist e„-SKs K^"''> for A, 
achievable with communication F, such that 



e„^0 and ^ log |/C(")| ^ i? 
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The largest achievable SK rate for A is the SK capacity C{A). 

Thus, by definition, the SK capacity for A is the largest 
rate of a rv that is recoverable at each terminal in A from the 
information available to it, and is nearly uniformly distributed 
and effectively concealed from an eavesdropper with access 
to the public interterminal communication; it need not be 
concealed from the terminals in A'^ = J^\A that cooperate in 
secrecy generation. 

A single-letter characterization of the SK capacity C{A), 
A C Ai, for a general multiterminal source model, of which 
the PIN model is a special case, is provided in 01 . An upper 
bound for C{A) in terms of (Kullback-Leibler) divergence is 
also given therein and shown to be tight in special cases. These 
results play material roles below. 



All logarithms ai'e to the base 2. 



III. Results 

Our main results are the following. First, we obtain, upon 
particularizing the results of [0], a (single-letter) expression 
for C{A) for a PIN model, in terms of a linear combination 
of mutual information terms that involve only pairs of "recip- 
rocal" rvs {{Xij,Xji) , 1 < « 7^ j < m}. Second, stemming 
from this observation, a connection is drawn between SK 
generation for the PIN model and the combinatorial problem of 
maximal packing of Steiner trees in an associated multigraph. 
Specifically, we show that the maximum rate of Steiner tree 
packing in the multigraph is always a lower bound for SK 
capacity. Third, for the case |j4| = 2 (when the Steiner tree 
becomes a path connecting the two vertices in A) and for the 
case A = j\4 (when the Steiner tree becomes a spanning tree), 
the previous lower bound is shown to be tight. This is done 
by means of an explicit algorithm, based on maximal path 
packing and maximal spanning tree packing, respectively, that 
forms an SK out of independent SKs for pairs of terminals. In 
fact, the maximum rate of the SK thereby generated equals the 
previously known upper bound for SK capacity lU mentioned 
above. 

A. SK Capacity 

We first give the SK capacity C{A) for the PIN model. For 
ACM, let 

B{A) = {BcM: B^%, B ^ A] 

and Bi{A) be its subset consisting of those B e B{A) that 
contain i, i £ Ai. Let K{A) be the set of all collections 
A = {\b : B e B{A)} of weights < As < 1, satisfying 



y^ Ab = 1 for all i e M. 

-BeB,(A) 



(2) 



Proposition 3.1: For a PIN model, the SK capacity for a 
set of terminals A C J\A, with \A\ > 2, is 



randomization can serve to enhance secrecy generation for 
certain models (cf. e.g., ||2T1 ) 

Proof: The proof entails an application of the formula for 
SK capacity in E), |g| to the PIN model. For B e B{A), 
denote Xb = [Xi, i G B). From (||5] Theorem 3.1], 



C{A) = 

H ( Xi , . . . , Xr, 



max y XbH(Xb\XbA- (4) 

B£B{A) 



For the PIN model, since Xi = {X^j, j e M\{i}) , we 
observe in (|4]i that 

H{Xi, . . . ,Xni) = H {{{Xij,Xji)}i<i^j<m) 

y H{X,,,X,,) (5) 



l<?<j<?n 



and 



H{Xb\Xb^) = H{Xm) - H{Xb') 
= E H{X.,j,Xji) - 2_^ H{Xij,Xji) 



l<j<j<?n 



l<2<j<?n, 
i^B^.j^B" 



leB^.jeB 
= Y. H{X,„X,,)+ y H{X,,\X,,).i6) 

l<i<j<m, ieB^jeB" 

ieB,jeB 
A straightforward manipulation of (|4|i, using Q, ^, gives 



C{A) = min V 

xeA(A) ^^ 

l<i<j<7n 
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E ^B 

BeB(Ay. 
XieBjeB" / 


I{X,,AXj,) 



(3) 



Remark: (i) It is of interest in ^ that the SK capacity for 
a PIN model depends on the joint probability distribution of 
the underlying rvs only through a linear combination of the 
pairwise reciprocal mutual information terms. 

(ii) We note from ||4l Theorem 3] that additional independent 
randomization at the terminals in A4, enabled by giving 
them access to the mutually independent rvs Mi, . . . , M„i, 
respectively, that are independent also of (X", . . . , X"J, does 
not serve to enhance SK capacity. Heuristically speaking, 
the mentioned independence of the randomization forces any 
additional "common randomness" among the terminals in A 
to be acquired only through public communication, which 
is observed fully by the eavesdropper. On the other hand. 



Since, by (2), 



E A. 



1 BeB{A): 



E A. 



I BGS(A): 

\ieB'',jeB 



H {Xij\Xji) 
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E ^B = i- E ^5 = 1- E ^B, 
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CiA) 
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AgA(A) 




l<i<j<m 1 BeB{A}: 
\ieB,j£B'- 



H(Xij, Xji) 

—H{Xij\Xji) 

-H{Xji\Xij) 



thereby completing the proof. ■ 

An upper bound had been estabhshed for SK capacity 
for a general multiterminal source model 2] Example 4]. 
This bound was expressed in terms of the (KuUback-Leibler) 
divergence between the joint distribution of the rvs defining the 
underlying correlated sources and the product of the (marginal) 
distributions associated with appropriate partitions of these rvs, 
thereby measuring the minimum mutual dependence among 
the latter The bound was particularized to the PIN model in 
II23I . and is restated below in a slightly different form that will 
be used subsequently. 

Let "P be a partition of A^ = {1, . . . , m}, and denote the 
number of atoms of 7-* by \V\. 

Lemma 3.2 1^ : The SK capacity C{A), AC M, for the 
PIN model is bounded above according to 

C{A)< 



C'"'(A) ^ min 



\V\-1 



E 

l<.i<j<7n 

.{i,j) crosses V 



I{X,,AX,,) 



(7) 

where for a fixed V, a pair of indices {i,j) crosses V if i 
and j are in different atoms of V. The minimization in the 
right side of is over all partitions V of A4 for which 
every atom ofP intersects A. 



B. SK Capacity and Steiner Tree Packing 

There exists a natural connection between SK generation for 
the PIN model and the combinatorial problem of tree packing 
in an associated multigraph. 

Let G ~ {V, E) be a multigraph, i.e., a connected undirected 
graph with no selfloops and with multiple edges possible be- 
tween any vertex pair, whose vertex set F = A^ = {1, . . . , to} 
and edge set E = {cij > 0, 1 < i < j < m], where 
Cij is the number of edges connecting the pair of vertices 
*,j, 1 < « < j < m. 

Definition 3: For A C M, a Steiner tree of G (for A) is 
a subgraph of G that is a tree and whose vertex set contains 
A. A Steiner packing of G is any collection of edge disjoint 
Steiner trees of G. Let /x(A, G) denote the maximum size of 
such a packing (cf. ifTTI ). 

We note that when \A\ = 2, a Steiner tree for A always 
contains a path connecting the two vertices in A. Clearly, it 
suffices to take iJ,{A,G) to be the maximum number of edge 
disjoint paths connecting the two terminals in A. 

Next, assume without any loss of generality in the PIN 
model that all pairwise reciprocal mutual information values 
I{Xij A Xji), I < i j^ j < m, are rational numbers. Let 
Af denote the collection of positive integers n such that the 
number of edges between any pair of vertices i,j is equal 
to nI{Xij A Xji) is integer-valued for all 1 < i 7^ j < to,; 
clearly, the elements of N form an arithmetic progression. For 



a PIN model, consider a sequence of associated multigraphs 
{G(") = (X, £;(")) , n e TV}, where .B^"), n G A/", is such 
that gy ~ nI{Xij A Xji). We term sup„gj^ i/i(A, G'"^) as 
the maximum rate of Steiner tree packing in the multigraph 
G = (A^, E). The connection between SK generation for the 
PIN model and Steiner tree packing is formalized below. 

Theorem 3.3: For a PIN model, 
(i) the SK capacity satisfies 



G{A) > sup - fi{A,G^"^) 
neAfn 

for every A C A4; 

(ii) when \A\ = 2, the SK capacity is 



(8) 



CiA) 



n 

C^'iA). 



sup 

life 



(9) 



Remarks: (i) The inequality in ([D can be strict, as shown by 
a specific example in a sequel paper jl7|. See also the remark 
following Theorem 3.4 for a heuristic explanation. 

(ii) An exact determination of fJ,{A, G) is known to be NP- 
hard ||3l. A nontrivial upper bound for ii{A, G), similar in form 
to (|7|, is known lfT2l paragraph 5 of Section 1]. This bound can 
be extended to yield an upper bound for sup,jgj^ -/^(^, G^"-' ) 
which, in general, is inferior to that provided by G{A) in (|8]i. 

Proof: (i) The proof consists of two main steps. In the first 
step, fix an e > that is smaller than every positive 
I{Xij AXji), 1 < i < j < m. Each pair of terminals i, j with 
I{Xij A Xji) > 0, generates a (pairwise) SK Kij = K^^' of 
size ln{I{Xij A Xji) — e)\ bits, using public communication 



F^J = F, 



(") 



j^ , and satisfying 

s[Kij] tij) 



On(l); 



(10) 



the existence of such an SK follows from ifTSl . The SK 
achievability scheme in ifTSl consists of a "weak" SK gener- 
ated by Slepian-Wolf data compression, followed by "privacy 
amplification" to extract a "strong" SK. Note by the definition 
of the PIN model that {(A'y,i^y)}i<i<j<m are mutually 
independent. 

In the second step, consider the sequence of multigraphs 
GT = (X, £■(")) \ , where £;(") is such that the number 

J n— 1 

of edges between any pair of vertices i, j equals 
\n{I{Xij A Xji) — e)J. We next show that every Steiner tree 
in a Steiner tree packing of Ge yields one shared bit for the 
terminals in A that is independent of the communication in that 
Steiner tree. Specifically, for edges (i,j) and {i,j'), j 7^ j', 
with common vertex i in the Steiner tree, vertex i broadcasts 
to vertices j,j' the binary sum of two independent SK bits 
- one with j and the other with j' - obtained from the first 
step. This enables i,j,j' to share any one of these two bits, 
with the attribute that the shared bit is independent of the 
binary sum. This method of propagation (111 proof of Theorem 
5]) enables all the vertices in A, which are connected in the 
Steiner tree, to share one bit that is independent of all the 



broadcast binary sums from this tree. Therefore, the maximum 
number of such shared bits for the terminals in A that can 
be generated by this procedure equals ii{A,Gc ). Denote 
these shared bits (of size iJ,{A, G" )) and the communication 
messages generated by the mechanism in this second step by 
K = A-(")({i^y}i<,<,<™) and F = i^(")({A'.j}i<.<j<™), 
respectively. 

We claim that K constitutes an SK for A. Specifically, it 
remains to show that K satisfies the secrecy condition ^ 
with respect to the overall communication in steps 1 and 2. To 
this end, we denote by Kj^'{{Kij}i<i^j<rn) all the pairwise 
SK bits generated in the first step, that are residual from the 
maximal Steiner tree packing of Gj used to generate K by 
means of F. Clearly, 



to 



{K^j}l<^<J<m = {K,F,Kji). 



(11) 



Moreover, since the total number of edges in any Steiner tree 
equals the sum of unity (i.e., the shared bit of K) and the 
number of bits of public communication for that shared bit, 
we have 



|^(")|=log|/C|+log|^|+log|/Cfl|, 



(12) 



where /C, T and /Cj^ denote the respective ranges of K, F 
and Kb. Note that log |/C| = n{A, G^"^). Then, 

s{K; {Fij}i<i<j<m,F) 



min (number of edges that cross {B, B"^}) . 
leB, 2eB'= 
Applying this to G*^"^ as above, we have that for n E J\f, 

iMAG(")) = 
n 

( \ 



mm 

leB, 2eB'= 



l<i<ij<m: 

(i.j) crosses {b.b^} 



J 



It then follows that 

C{A) > sup i^(A,G(")), by (8) 

nGTV n 

( 



mm 



\ 



E 

l<2<j<m: 

\(ij) crosses {b,b<=} 



nI{Xij AXji) 



/ 



G"''(A), by 0. 



The last equaUty follows upon noting that when \A\ — 2, the 
minimization in ^ is over only those partitions that contain 
two atoms, each of which includes terminal 1 and terminal 2, 
respectively. This proves (ii). ■ 



= log|/C| - i/(A-|{i^,,}i<,<j<„,F) 

< log|/C| - H{K\{F,j},<,<,<,n,F,KR) 
= log |/C| - H{K,F,Kr\{F,,}i<,<,<.^) 

+H{F, K B,\{Fij} i<i^j<rn) 
= l0g|/C| — H{{Rij}i<i<^j<jn\{Fij}i<i^j<,n) 

+H{F,KB,\{F,j}i<,<,<,n), byO 

< log |/C| + s({A'y}i<j<j<,„; {F,j}i<i<j<,„) 
-\E(^)\+H{F,Kr) 

< s{{Kij}i<i^j<,n;{Fij}i<i<:j<m), by (O 

l<.i<j<m 

m{m-l) 
= ^ o„(l), 

where the second-to-last equality is by the fact that 
{{Kij,Fij)}i<i^j<:rn are mutually independent, and the 
last equality is by ( fTOl i. The maximum rate of the SK thus 
generated is equal to lim„_).oo -/^(^j Ge ) which, since 
e > was arbitrary, equals sup^gj^/ ^ /x(A, G^")). 

(ii) Suppose that A = {1,2}, and note from the paragraph 
after Definition 3 that ij,{A, G) is the maximum number of 
edge disjoint paths in G connecting terminals 1 and 2. It is 
clear that i/i(A, G^"-*) is nondecreasing in n S A/", by the 
definition of G'^"'. According to Menger's theorem |fT6l . IS, 
given a multigraph G = {J^,E), the maximum number of 
edge disjoint paths in G connecting terminals 1 and 2 is equal 



C. SK Capacity and Spanning Tree Packing for A ~ A4 

When all the terminals in Ai seek a shared SK, i.e., when 
A = M, a Steiner tree for A is a spanning tree for M. In 
this case, we show that the lower bound for SK capacity in 
Theorem 3.3 (i) is, in fact, tight. Specifically, we show that 
the algorithm in the proof of Theorem 3.3 yields an SK of 
maximum rate that coincides with the upper bound for G{A4) 
in Lemma 3.2. 

Theorem 3.4: For a PIN model, the SK capacity C{M) is 
C{M) = sup - Ai(X,G(")) 

= C'^\M). (13) 



Remark: When A C M., Steiner tree packing may not 
attain SK capacity. In SK generation, a helper terminal in A"^ 
helps link the user terminals in A in complex ways through 
various combinations of subsets of A. In general, an optimal 
such linkage need not be attained by Steiner tree packing. 
However, when \A\ = 2, the two user terminals are either 
directly connected or are connected by a path through helpers 
in A'^\ both can be accomplished by Steiner tree packing. 
When A ^ M., the mentioned complexity of a helper is 
nonexistent. 

Proof: The proof relies on a graph-theoretic result of Nash- 
Williams ifTSl and Tutte 1201 . that gives a min max formula for 
the maximum size of spanning tree packing in a multigraph. 



It is clear that i/^(Al, G'"-') is nondecreasing in n £ A/", 
by the definition of G^"^. By |[T8l, |l20|, given a muhigraph 
G = (A^, £'), the maximum number of edge disjoint spanning 
trees that can be packed in G is equal to 



mm 

V 



\V 



(number of edges that cross V) , 



with the minimization being over all partitions T-" of A^. 
Applying this to G^"' as above, we have that for n £ TV, 
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Denoting by D the quantity in above, it follows that 



C{M) > sup -fi{M,G^"^), 

1 



by Theorem 3.3 
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= G"^(X), by Q. 



The assertion in ( fT3T l is now immediate. ■ 

Lastly, the following observation is of independent interest. 
Given a combinatorial problem of finding the maximal packing 
of Steiner trees in a multigraph, we can always associate with 
it a problem of SK generation for an associated PIN model. 
By Theorem 3.3 (i), the SK capacity for the PIN model yields 
an upper bound for the maximum rate of edge disjoint Steiner 
trees that can be packed in the multigraph; the upper bound 
is tight both in the case of path packing by Theorem 3.3 (ii) 
and in the case of spanning tree packing by Theorem 3.4. 

IV. Discussion 

Our proofs of Theorems 3.3 and 3.4 give rise to explicit 
polynomial-time schemes for forming a group-wide SK for the 
terminals in A from the collection of optimum and mutually 
independent SKs for pairs of terminals in Ai (namely the KijS 
in the proof of Theorem 3.3). When |A| = 2 or ^ = M, 
our schemes achieve SK capacity. Specifically, the schemes 
combine known polynomial-time algorithms for finding a max- 
imal collection of edge-disjoint paths (resp. spanning trees) 
connecting the vertices in A when \A\ = 2 (resp. A = Ai) 
161, El, m with the technique for SK propagation in each tree 
as in the proof of Theorem 3.3. 

For a general multiterminal source model, the notions of 
wiretap secret key (WSK) |[l3l, fl], H and private key (PK) 
m have also been proposed. Specifically, these notions involve 
an extra "wiretapped" terminal, say m + I, that observes n 
i.i.d. repetitions of a rv Xm+i with a given joint pmf with 
{Xi, . . . ,Xm), and to which the eavesdropper has access. 



The key must now be concealed from the eavesdropper's 
observations of X'^^^i = (X„+i^i, . . . ,X„,+i,„) and the 
public communication. The notion of a WSK requires that 
terminal m + I not cooperate in key generation. The less 
restrictive notion of a PK allows cooperation by terminal 
771 + 1 by way of public communication. The corresponding 
capacities for the terminals in A C A^ are defined in the usual 
manner, and denoted by CwiA) and Cp{A). We remark that 
in the context of a PIN model, terminal m + 1 represents a 
compromised entity. 

One model for the wiretapped rv X„i^i entails its con- 
sisting of I „ ] mutually independent components, one 

corresponding to each pair {Xij,Xji), I < i < j < m, of 
legitimate correlated signals. This model is unresolved even 
in the simplest case of m = 2 terminals flU, fH, H, Q, 
ifTOl . Instead, we consider a different model which depicts 
the situation in which an erstwhile legitimate terminal m + 1 
becomes compromised. Specifically, the model now involves 
every legitimate terminal i in A/( observing n i.i.d. repetitions 
of the rv {Xi, Xi^„i+i), while terminal m+l observes n i.i.d. 
repetitions of X^+i ~ {X,n+i,j, j G M). We argue in the 
following proposition that the WSK and PK capacities for this 
PIN model are the same as the SK capacity of a reduced PIN 
model obtained by disregarding terminal m+l and with each 
legitimate terminal i in A/f observing just X". 

Proposition 4.1: It holds that 

Cw{A) = Cp{A) = C{A). 

Proof: We shall prove that 

(a) (6) (c) 

C{A) < Cw{A) < Cp{A) < CiA). 

The inequality (6) is by definition. Next, let K = 
K{Xi, . . . , X^) be a SK for A achieved with communication 
F = F{X^,..., X^) for the reduced PIN model. Then K is 
also a WSK since 

= log\K\~H{K\F,iX:^^^,^^, j€M)) 
= siK; F) + liK A {X^^^,^^, j £ A^)|F) 
= o„(l) 

since / (K, F A (X",_^i ,,-, j £ M)) = 0, thereby estabUshing 
(a). In order to establish (c), we claim that every achievable PK 
rate is an achievable SK rate for the reduced PIN model upon 
using randomization at the terminals in A4; by remark (ii) after 
Proposition 3.1, (c) then follows. Since (X^^^^ , j £ Ai) 
is independent of (X",...,X^), any terminal in A4, say 
terminal 1, can simulate {X^_^_^ -, j £ A4) and broadcast 
it to all the terminals. Next, each terminal i in A/( can 
simulate X^^^^^ conditioned on (-^^^h-Ij' J ^ ■^) = 
i^ni+i ji j ^ -^)- This second step of randomization is 



rn.m+l 



are con- 



feasible since (X^, . . . , X:^),Xl,^^„ . . . , X 

ditionally mutually independent conditioned on {X^^^^ , j £ 



-^) ~ (^^m+i ,5 J G ^Y Thus, each terminal j in hA now 
has access to (X",X"^^j^) while the eavesdropper observes 
(X^^^i J, j e A1), so that the reduced PIN model for SK 
generation can be used to simulate a PIN model for PK 
generation with the given underlying joint pmf. Thus, any 
achievable rate of a PK for A in the given PIN model for 
PK generation is an achievable rate of a PK for A in the 
simulated model. Further, the latter PK is a fortiori an SK for 
A in the reduced PIN model with randomization permitted at 
the terminals in hA. This establishes (c). ■ 

In the proof of achievability of SK capacity for the general 
multiterminal source model in |@1, an SK of optimum rate was 
extracted from "omniscience," i.e., from a reconstruction by 
the terminals in A of all the signals (X", i <^ M) observed 
by the terminals in A^. In contrast, the scheme in Theorem 
3.3 (ii) (resp. Theorem 3.4) for achieving SK capacity for a 
PIN model with |^| = 2 (resp. A ~ M) neither seeks nor 
attains omniscience; however, we note that omniscience can 
be attained by letting the terminals in M. simply broadcast all 
the residual bits left over from a maximal path packing (resp. 
maximal spanning tree packing). 

We close with the observation that in the proof of Theorem 
3.3, the SK bit generated by each Steiner tree in Step 2 is 
exactly independent of the public communication in that tree. 
Thus, if the pairwise SKs in step 1 are "perfect" with zero 
security index, then so is the overall SK for A. It transpires 
that for the PIN model, there is a tight connection between 
"perfect secrecy generation" and "communication for perfect 
omniscience," redolent of the asymptotic connection in ||4|. 

This new connection and the role of Steiner tree packing in 
attaining perfect omniscience and generating perfect secrecy 
are the subjects of a sequel paper ifTTl . 
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